/**
* 检查用户是否有此操作权限
*
* @param string the name of the operation that need access check
* @param mixed the user ID. This should can be either an integer and a string representing
* the unique identifier of a user. See {@link IWebUser::getId}.
* @param array name-value pairs that would be passed to biz rules associated
* with the tasks and roles assigned to the user.
* @return boolean whether the operations can be performed by the user.
* @tudo 检查任务的bizrule
*/
public function checkAccess($itemName, $userId = null, $params = array())
{
// 关闭RBAC验证模式时直接返回true
if (!\Yii::$app->getModule('rbac')->rbacCheck) {
return true;
}
if ($userId == null) {
$userId = \Yii::$app->user->id;
//当前用户
}
// 根据用户角色组合权限,判断是否有该权限。权限又分操作权限、数据权限、自定义权限。
// 检查操作权限 先获取用户所有的操作项权限
$authItems = RbacAuthitems::getUserOperationAuthItems($userId);
// 如果授权数组为空或返回false,则返回false
if (!is_array($authItems)) {
return false;
}
$itemName = strtolower($itemName);
foreach ($authItems as $k => $item) {
if (strtolower($k) == $itemName) {
$itemName = $k;
break;
}
}
if (isset($authItems[$itemName])) {
return true;
}
return false;
}
public function actionCheckAuthitems()
{
$model = new models\RbacAuthitems();
//检测此表权限的有效性
$notExistAuthitems = $model->checkAuthitems();
$actions = Yii::$app->request->post('actions');
if ($actions) {
//安全过滤 防止删除掉不应该删掉的权限
$actions = array_intersect($actions, $notExistAuthitems);
// 然后再通过actions name 来删除关系表中的数据
if (models\RbacAuthitems::deleteAuthItemByNames($actions)) {
//刷新总允许运行的权限缓存
models\RbacAuthitems::getAllowedAccess(false);
}
$notExistAuthitems = array_diff($notExistAuthitems, $actions);
}
return $this->render('/rbac/authitems/checkAuthitems', ['model' => $model, 'notExistAuthitems' => $notExistAuthitems]);
}
public function actionUnAssignUser($user_id, $role_id)
{
if (preg_match('/^\\d+$/', $user_id) && preg_match('/^\\d+$/', $role_id)) {
//删除用户角色的授权
if (models\RbacUserRole::deleteUserRoles($user_id, [$role_id])) {
// 更新用户权限缓存
models\RbacAuthitems::getUserOperationAuthItems($user_id, false);
}
} else {
throw new Exception('params is not safe!');
}
return $this->redirect(['/rbac/role/related', 'id' => $role_id]);
}
public function actionAssignItems($id)
{
$model = self::findModel($id);
$items = Yii::$app->request->post('authItems');
if (!is_array($items)) {
throw new Exception('Invalid request.Params has Error. Please do not repeat this request again.');
}
// 安全过滤待授权的项目
$authItems = models\RbacAuthitems::getCanAssignItems();
$items = array_intersect($items, $authItems);
if ($items && models\RbacTaskItems::assignItemsToTask($id, $items)) {
echo '授权成功';
} else {
throw new Exception('授权失败');
}
}
/**
* The auth items that access is always allowed. Configured in srbac module's
* configuration
* @return The always allowed auth items
*/
protected function allowedAccess()
{
return RbacAuthitems::getAllowedAccess();
}